{
  config,
  options,
  pkgs,
  lib,
  username,
  inputs,
  site_config,
  niri-package,
  ...
}:
{
  imports = [
    ./common.nix

    # desktop-only modules
    ./desktop-vm.nix
    ./desktop-steam.nix
    ./desktop-networkmanager.nix
    ./desktop-age-secrets.nix
    ./desktop-lanzaboote-agenix.nix

    inputs.disko.nixosModules.disko

    inputs.nixos-hardware.nixosModules.common-cpu-amd-pstate
    inputs.nixos-hardware.nixosModules.common-cpu-amd-zenpower
    inputs.nixos-hardware.nixosModules.common-pc-ssd
  ];

  # allow overclocking (I actually underclock but lol)
  hardware.amdgpu.overdrive.ppfeaturemask = "0xFFFFFFFF";

  # Add niri to display manager session packages
  services.displayManager.sessionPackages = [ niri-package ];

  programs = {
    gamescope = {
      enable = true;
      capSysNice = true;
    };
    steam = {
      enable = true;
      gamescopeSession.enable = true;
    };
  };

  system.activationScripts = {
    # FIX: https://github.com/NixOS/nix/issues/2982
    "profile-channel-dummy".text = ''
      #!/bin/sh
      mkdir -p /nix/var/nix/profiles/per-user/root/channels
    '';

  };

  swapDevices = [ ];

  # Desktop-specific Nix cache — muffin serves it, desktops consume.
  # Base nix settings (optimise, gc, experimental-features) come from common.nix.
  nix.settings = {
    substituters = [ site_config.binary_cache.url ];
    trusted-public-keys = [
      site_config.binary_cache.public_key
    ];
    netrc-file = config.age.secrets.nix-cache-netrc.path;
  };

  # cachyos kernel overlay
  nixpkgs.overlays = [ inputs.nix-cachyos-kernel.overlays.default ];

  # kernel options
  boot = {

    # cachyos kernel: bore scheduler, full lto, x86_64-v3 (common to zen 3 + zen 5)
    kernelPackages = pkgs.linuxPackages_latest;

    # aes_generic is built-in as of linux 7.0, no longer a loadable module
    initrd.luks.cryptoModules = lib.mkForce (
      lib.filter (m: m != "aes_generic") options.boot.initrd.luks.cryptoModules.default
    );

    # some default initrd modules (ata_piix etc) don't exist with ATA_SFF=n
    initrd.allowMissingModules = true;

    lanzaboote = {
      enable = true;
      # TODO: proper secrets management so this is not stored in nix store
      pkiBundle = "/var/lib/sbctl";
    };

    # Bootloader.
    loader = {
      efi.canTouchEfiVariables = true;

      timeout = 1;
      /*
        Lanzaboote currently replaces the systemd-boot module.
        This setting is usually set to true in configuration.nix
        generated at installation time. So we force it to false
        for now.
      */
      systemd-boot.enable = lib.mkForce false;
      systemd-boot.configurationLimit = 10;
    };

    initrd = {
      systemd.enable = true;
      compressor = "zstd";
      kernelModules = [ "amdgpu" ]; # own the display from initrd, no fbcon handoff
      availableKernelModules = [
        "xhci_pci"
        "thunderbolt"
        "nvme"
        "usbhid"
      ];
    };

    kernelModules = [
      "kvm-amd"
      "ip_tables"
      "iptable_nat"
      "msr"
      "btusb"
    ];
  };

  services = {
    # auto detect network printers
    avahi = {
      enable = true;
      nssmdns4 = true;
      openFirewall = true;
    };

    # Enable CUPS to print documents.
    printing = {
      enable = true;
      drivers = with pkgs; [ hplip ];
    };

    # I don't want fingerprint login
    fprintd.enable = false;

    # Making sure mullvad works on boot
    mullvad-vpn.enable = true;

    # power statistics
    upower.enable = true;

    # power profiles for noctalia shell
    power-profiles-daemon.enable = true;

    # geolocation (uses beacondb.net by default)
    geoclue2 = {
      enable = true;
      appConfig.zen-twilight = {
        isAllowed = true;
        isSystem = false;
      };
    };
  };

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  # Enable Bluetooth
  hardware.bluetooth = {
    enable = true;
    powerOnBoot = true;

    # Enable experimental features for battery % of bluetooth devices
    settings.General.Experimental = true;
  };

  # Apply gtk themes by enabling dconf
  programs.dconf.enable = true;

  # Enable sound with pipewire.
  services.pulseaudio.enable = false; # pipewire >>>>>>> pulseaudio
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
  };

  # Define my user account (the rest of the configuration if found in `~/.config/home-manager/...`)
  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [
      "networkmanager"
      "wheel"
      "video"
      "camera"
      "adbusers"
    ];
    hashedPasswordFile = config.age.secrets.password-hash.path;
  };

  services.gvfs.enable = true;
  programs.gphoto2.enable = true;

  # Enable thermal data
  services.thermald.enable = true;

  services.pcscd.enable = true;
  programs.gnupg.agent = {
    enable = true;
    pinentryPackage = pkgs.pinentry-curses;
    enableSSHSupport = false;
  };

  # System packages
  environment.systemPackages = with pkgs; [
    # mullvad-vpn is provided by services.mullvad-vpn.enable

    #secureboot ctl
    sbctl

    dmidecode

    glib
    usbutils
    libmtp
    man-pages
    man-pages-posix

    # needed for home-manager
    git

    tmux
    android-tools
  ];

  # wayland with electron/chromium applications
  environment.sessionVariables.NIXOS_OZONE_WL = "1";

  # port 53317 for localsend
  networking.firewall.allowedUDPPorts = [ 53317 ];
  networking.firewall.allowedTCPPorts = [ 53317 ];

  system.stateVersion = "25.05";
  nixpkgs.hostPlatform = "x86_64-linux";

  documentation.enable = true;
  documentation.man.enable = true;
  documentation.dev.enable = true;
}